
CLAIMS 



WHAT IS CLAIMED IS: 

1 . A system for limiting access to the fimctionality of one or more software applications, 
comprising: 

a first memory configured to store first data related to each of the one or more software 
applications; 

the first memory fiirther configured to store second data related to each of one or more 
users of any of the software applications; and 

a rules checker in communication with the software applications and the first memory, 
said rules checker configured to: 



wherein said message provides instructions to the particular software application 
regarding entitlements of one of the users to access a particular fimction of the particular 
software application. 

2. The system according to claim 1, wherein the first memory is a relational database. 



receive at least one query, said query originating from any particular one of the 



software applications, and 



forward a message to the particular software application in response to the query; 
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3. The system according to claim 1, wherein the each of the one or more software applications 
are implemented on one of a mainframe and a distributed computing system. 

4. The system according to claim 1, further comprising: 

a second memory configured to store proprietary data useful to the particular software 
application, and 

wherein said message provides information to the particular software application 
regarding authorization to output portions of the proprietary data. 

5. The method according to claim 1 , wherein the respective first data for each software 
application includes an identification of hierarchically arranged functions associated with that 
software application. 

6. The method according to claim 5, wherein the query further comprises information relating to 
the one of the users and relating to at least one of the functions associated with the particular 
software application, and 

wherein the message relates to that one user's authorization to access the at least one 
function. 

7. The system according to claim 5, wherein the identification of hierarchically arranged 
functions include functions, sub-functions, and sub-sub functions. 
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8. The system according to claim 1, wherein the respective first data for each software 
application includes an identification of data fields associated with that software application. 

9. The system according to claim 8, wherein the query fiirther comprises information relating to 
one of the users and relating to at least one of the data fields associated with the particular 
software application, and 

wherein the message relates to that one user's authorization to access the at least one 

field. 

1 0. The system according to claim 1 , wherein the rules checker is fiirther configured to: 

generate the message based on the query, the first data and the second data. 



11. The system according to claim 1 , wherein: 

the respective second data for each of the users includes at least one role, firom among a 

(11 

p plurality of roles, associated vwth that particular user, and 

the respective first data for each software application includes: 
5 an identification of hierarchically arranged fimctions associated with that 

software application, and 

an description of which of the plurality of roles is entitled to access each of the 

fiinctions. 



12. The system according to claim 1 1, wherein: 
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the query includes an identification of a specific one of the users and a specific one of the 
functions associated with the particular software application; 

the rules checker is further configured to generate the message based on the query, the 
first data and the second data; and 

the message instructs the particular software application regarding that specific user's 
entitlement to access that specific function. 

1 3. The system according to claim 1 2, wherein the rules checker logs data relating to an instance 
in which the specific user is not entided to access that specific function. 

14. The system according to claim 4, wherein the respective second data for each of the users 
includes an access level from among a plurality of access levels, associated with that particular 
user, said access level determining an authorization of that particular user to access proprietary 
data v^thin the second memory, and 

the rules checker is further configured to generate the message based on the query, the 
first data and the second data. 

15. The system according to claim 1, further comprising: 

an administrative application configured to facilitate administration of the first and 
second data. 
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16. The system according to claim 15, wherein the administrative application is ftirther 
configured to manipulate the first data according to which of a plurality of clients one or more of 
the users is associated with. 

17. The system according to claim 1 5, wherein the administrative application is further 
configured to manipulate the first data according to an identity of a particular one of the users. 

18. The system according to claim 15, wherein the administrative application is further 
configured to manipulate the first data according to which of a plurality of roles a particular one 
of the users is associated with. 

19. The system according to claim 15, wherein the administrative application is further 
configured to manipulate all the first data relating to a specific one of the software applications. 

20. The system according to claim 15, wherein the administrative application is further 
configured to manipulate all the first data relating to one of a plurality of functions associated 
with a specific one of the software applications. 

21 . The system according to claim 1 , further comprising: 

an auditing application configured to facilitate auditing of the first and second data and 
any additional data generated by the rules checker. 
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22. The system according to claim 21, wherein the auditing application is further configured to 

r f 

provide a history, upon request, of messages forwarded by the rules checker. 

23. The system according to claim 22, wherein the history emphasizes those messages related to 
a failed attempt to access the particular function. 

24. The system according to claim 22, wherein the auditing application is further configured to 
provide a history, upon request, of changes to one or both of the first data and the second data. 

25. A method for providing application-level security, said method comprising the steps of: 

storing first data relating to a plurality of software applications; 

storing second data relating to a plurality of users of the software applications; 

receiving a query fi-om a particular one of the software applications; 

in response to the query, forwarding a message to the particular software application, said 
message providing instructions to the particular software application regarding entitlements of a 
particular user to access a function of the particular software application. 

26. The method according to claim 25, further comprising the step of: 

generating the message based on the query, the first data and the second data. 

27. The method according to claim 26, wherein the query includes an identification of the 
particular user and the fiinction. 
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28. The method according to claim 25, wherein the second data includes for each user, one or 
more of an associated user ID, client name, role, and business level 

29. The method according to claim 28, wherein the first data includes for each software 
application an identification of associated hierarchically arranged fimctions and characteristics of 
those users authorized to access each such function. 

30. The method according to claim 29, further comprising the steps of: 

correlating the first and second data to determine authorized functions, said authorized 
functions being those particular functions of each software application which are accessible by a 
specified user; 

generating the message based on the query and the determination of authorized fimctions, 
wherein said query includes an identification of the particular user and the function. 

3 1 . The method according to claim 28, wherein the first data includes for each software 
application an identification of associated data fields and characteristics of entitlements of users 
to each data field. 

32. The method according to claim 3 1 , further comprising the steps of: 

correlating the first and second data to determine authorized data field operations, said 
authorized operations being those particular operations of each data field which are permitted to 
a specified user; and 
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generating the message based on the query and the determination of authorized 
operations, wherein said query includes an identification of the particular user and of a 
predetermined data field. 

33. The method according to claim 29, further comprising the steps of: 

storing proprietary data useful to one or more of the software applications; and 
storing third data relating to accessibility of the proprietary data. 

34. The method according to claim 33, further comprising the steps of: 

correlating the first, second and third data to determine authorized data accesses, said 
authorized data accesses being those particular data accesses of the proprietary data which are 
permitted to a specified user; and 

generating the message based on the query and the determination of authorized data 
accesses, wherein said query includes an identification of the particular user and of 
predetermined proprietary data. 

35. The method according to claim 25, further comprising the step of: 

creating a log entry relating to the message if the message indicates instructions which 
prohibit the particular software application access to the function. 

36. The method according to claim 29, further comprising the step of: 
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administering the first and second data by manipulating one or both of the first and 
second data according to which of a plurality of clients one or more of the users is associated 
with. 

37. The method according to claim 29, further comprising the step of: 

administering the first and second data by manipulating one or both of the first and 
second data according to the identity of a particular one of the users. 

38. The method according to claim 29, further comprising the step of: 

administering the first and second data by manipulating one or both of the first and 
second data according to which of a plxirality of roles one or more of the users is associated with. 

39. The method according to claim 29, further comprising the step of: 

administering the first and second data by manipulating all the first data relating to a 
specific one of the software applications. 

40. The method according to claim 29, further comprising the step of: 

administering the first and second data by manipulating all the first data relating to one of 
a plurality of functions associated with a specific one of the software applications. 

41. A computer readable medium bearing instructions for providing application-level security, 
said instructions being arranged to cause one or more processors upon execution thereof to 
perform the steps of: 
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storing first data relating to a plurality of software applications; 
5 storing second data relating to a plurality of users of the software applications; 

receiving a query from a particular one of the software applications; 

in response to the query, forwarding a message to the particular software application, said 
message providing instructions to the particular software application regarding entitlements of a 
particular user to access a ftmction of the particular software application. 

10 

0Q.J\t{^ThQ system according to claim 14, fiirther comprising: 

a non- volatile data store indicating a hierarchical arrangement of the plurality of access 
sil levels, and 

^ wherein the rules checker is further configured to consult the data store when determining 

5 the authorization of that particular user. 

Ei ■ • 

H 

h| The system according to claim 2 1 , wherein the auditing application is ftirther configured to 

provide real-time data logging and retrieval. 

^^^^ The system according to claim 2, wherein any updates to data within the relational database 
are performed in real-time and the rules checker is fiirther configured to use the updated data. 

^ Jl4. The system according to claim 1, wherein the particular software application is a simulation 
application, said simulation application is configured to: 

provide in the query to the rules checker a simulated user identity and a simulated 
secured resource identity; 
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5 receive from the rules checker the message forwarded by the rules checker; and 

i 

determine the entitlements of the simulated user to access the simulated secured 
resource. 

i\ip The system according to claim 5, wherein the query requests a listing of entitlements for the 
one user, said listing identifying the entitlements for every function associated with the one user, 
and wherein the message includes said listing. 



r* Th^ system according to claim 45, wherein query includes filtering parameters such that the 

^il listing includes only those entitlements which satisfy the filtering parameters. 

m 

% Th^ system according to claim 46, wherein the filtering parameters specify one or more of a 

M user role, a function identity, an application identity, a user identity, and a data access level. 

ill 

^ system according to claim 14, wherein the authorization of the particular user to access 



proprietary data depends, at least in part, on the particular software application identity. 

The system according to claim 14, wherein the authorization of the particular user to access 
proprietary data depends, at least m part, on the particular function identity. 
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